Axis system configuration listing enabled in WEB-INF/server-config.wsdd
Description
This Apache Axis web application has the enableListQuery parameter enabled in its Web Service Deployment Descriptor (WSDD) configuration file. When enabled, this feature allows unauthenticated users to retrieve the complete system configuration by querying the web service, potentially exposing sensitive information including administrative credentials, internal service endpoints, and deployment architecture details.
Remediation
Disable the configuration listing feature by modifying the WEB-INF/server-config.wsdd file. Locate the <globalConfiguration> section and set the axis.enableListQuery parameter to false:
<globalConfiguration> <parameter name="axis.enableListQuery" value="false"/> </globalConfiguration>
After making this change, restart the application server to apply the configuration. Additionally, review the WSDD file to ensure no sensitive credentials are stored in plaintext—consider using encrypted passwords or external credential stores. Verify the change by attempting to access the configuration listing endpoint and confirming it returns an error or access denied message.